Threat Description

Messev

Details

Summary

The Messev.3158 is an encrypted resident stealth virus that infects COM and DOS EXE
files. Besides it acts as a dropper to Gwar boot virus. Messev virus is encrypted
with a variable key. Number of possible key variants is 255.

Removal

Automatic action

Once detected, the F-Secure security product will automatically disinfect the suspect file by either deleting it or renaming it.

More

Detailed instructions for F-Secure security products are available in the documentation found in the Downloads section of our Home - Global site.

You may also refer to the Knowledge Base on the F-Secure Community site for further assistance.

Technical Details

Messev installs itself to memory using the last MCB block and immediately passes control
to its body there. First the virus traces Int 13h and Int 21h. Then the virus tries
to infect hard disk with Gwar boot virus. It uses direct calls to Int 13h and Int
21h handlers during this procedure.

To safely infect MBR the virus tries to delete Windows 95 floppy device driver HSFLOP.PDR
located in \System\IOSubSys folder, but there's an error in the virus and this never
happens. The virus checks for presence of Gwar in memory and if it is not present
the hard disk in infected - the original MBR is copied to 0/0/2 (h/t/s) and the Gwar
is copied to 0/0/1 (h/t/s). Because of this trick logical hard disks become inaccessible
when booting from a system diskette.

After dropping the Gwar the virus traps Int 13h and Int 21h. Then it gets attributes
of C:\COMMAND.COM, and passes control to original infected file code.

COM and DOS EXE files are infected by Messev on access. The original 12 bytes from
the file start are copied to the end of the virus body and then the virus attaches
itself to a file. Time stamp of infected file is not modified except for seconds value
- it is set to 60. Some programs that are bigger than 400k and some packed programs
could become unusable after infection. When infected files are copied to floppy disk
they appear to be clean.

The virus uses anti-debugging tricks. It halts keyboard and if it fails performs a
trick with stack values and writes garbage to DOS Boot record. This could happen if
the program is debugged inaccurately.

The stealth procedure of the virus hides all signs of virus presence in infected objects.
When archivers (ARJ.EXE, PKZIP.EXE, LHA.EXE and RAR.EXE), CHKDSK or TBSCAN are executed
the virus disables its stealth routines.

Technical Details:Alexey Podrezov, Szor Peter, F-Secure, 1997

SUBMIT A SAMPLE

Suspect a file or URL was wrongly detected? Submit a sample to our Labs for analysis